first changes

host_vars/TUXEDO-Book-XP1511.universe.local.yml

@@ -3,7 +3,7 @@ ssh_port: 22
 ssh_users: rene
 
 #application selection
-autofs: false
+autofs: true
 borgbackup: true
 brave: true
 broot: true
@@ -11,7 +11,7 @@ chromium: true
 docker: false
 firefox: true
 games: true
-gimp: false
+gimp: true
 google_chrome: false
 joplin: true
 keepass: true
@@ -19,13 +19,13 @@ keepassxc: true
 libreoffice: true
 midnightcommander: true
 nextcloud_client: true
-nvidia: false
+nvidia: true
 pacaur: true
 ranger: true
 syncthing: true
 thunderbird: true
 vifm: true
-virtualbox: false
+virtualbox: true
 vivaldi: false
 yay: false
 yubikey: true

roles/base/files/ansible_setup/logrotate

@@ -0,0 +1,7 @@
+/var/log/ansible.log {
+    rotate 3
+    daily
+    compress
+    missingok
+    notifempty
+}

roles/base/handlers/main.yml

@@ -0,0 +1,22 @@
+---
+- name: apt_update
+  apt: update_cache=yes
+
+- name: restart_sshd
+  service:
+    name: "{{ openssh_service }}"
+    state: restarted
+
+- name: update_tmux_plugin_perms
+  file:
+    path: /home/rene/.tmux/plugins
+    owner: rene
+    group: rene
+    recurse: true
+
+- name: update_vim_bundle_perms
+  file:
+    path: /home/rene/.vim/bundle
+    owner: rene
+    group: rene
+    recurse: true

roles/base/tasks/ansible_setup.yml

@@ -0,0 +1,53 @@
+- name: ansible setup | ensure ansible is the latest version
+  tags: ansible,ansible-setup
+  package:
+    name: ansible
+    state: latest
+
+- name: ansible setup | install required packages
+  tags: ansible,ansible-setup,packages
+  package:
+    name:
+      - "{{ dconf_package }}"
+      - "{{ python_psutil_package }}"
+
+# Note: For Arch, the requirement is met by a dependency of systemd, only necessary on Debian-based
+- name: ansible setup | install acl package
+  tags: ansible,ansible-setup,packages
+  package:
+    name: acl
+  when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]
+
+- name: ansible:setup | create ansible log file
+  tags: ansible,ansible-setup
+  file:
+    path: /var/log/ansible.log
+    owner: rene
+    group: ansible
+    mode: 0664
+    state: touch
+  changed_when: False
+
+- name: ansible setup | add logrotate config for ansible log file
+  tags: ansible-setup
+  copy:
+    src: files/ansible-setup/logrotate
+    dest: /etc/logrotate.d/ansible
+    owner: root
+    group: root
+    mode: 0644
+
+- name: ansible setup | remove default ansible directory (/etc/ansible) from host
+  tags: ansible,ansible-setup
+  file:
+    path: /etc/ansible
+    state: absent
+
+- name: ansible setup | generate provision script from template
+  tags: ansible,ansible-setup,scripts
+  template:
+    src: provision.sh.j2
+    dest: /usr/local/bin/provision
+    owner: root
+    group: root
+    mode: 0755

roles/base/tasks/main.yml

@@ -0,0 +1,31 @@
+# Load distro-specific variables
+- include_vars: "{{ ansible_distribution }}.yml
+  tags: always
+
+- block:
+  # Make sure users exist on the system
+  - import_tasks: users/rene.yml
+  - import_tasks: users/root.yml
+
+  # Set up the ansible environment
+  - import_tasks: ansible_setup.yml
+
+  # install software
+  - import_tasks: software/repositories.yml
+  - import_tasks: software/packages_development.yml
+  - import_tasks: software/packages_cleanup.yml
+  - import_tasks: software/packages_pip.yml
+  - import_tasks: software/packages_utilities.yml
+
+  # Perform remeining tasks:
+  - import_tasks: system_setup/clock.yml
+  - import_tasks: system_setup/cron.yml
+  - import_tasks: system_setup/locale.yml
+  - import_tasks: system_setup/logging.yml
+  - import_tasks: system_setup/memory.yml
+  - import_tasks: system_setup/microcode.yml
+  - import_tasks: system_setup/openssh.yml
+  - import_tasks: system_setup/scripts.yml
+
+  rescue:
+    - set_fact: task_failed=true

roles/base/tasks/users/root.yml

@@ -0,0 +1,32 @@
+- name: users | root | ensure account is locked
+  user:
+    name: root
+    password_lock: yes
+
+- name: users | root | create config directories
+  file:
+    path: /root/{{ item.dir }}
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+  with_items:
+      - { dir: '.vim' }
+      - { dir: '.vim/colors' }
+  tags: dotfiles
+
+-name: users | root | copy dotfiles
+  copy:
+    src: users/root/{{ item.src }}
+    dest: /root/{{ item.dest }}
+    owner: root
+    group: root
+    mode: 0600
+  with_items:
+      - { src: 'bash/bashrc', dest: '.bashrc' }
+      - { src: 'bash/bash_profile', dest: '.bash_profile' }
+      - { src: 'bash/profile', dest: '.profile' }
+      - { src: 'tmux/tmux.conf' dest: '.tmux.conf' }
+      - { src: 'vim/vimrc', dest: '.vimrc' }
+      - { src: 'zsh/zshrc', dest: '.zshrc' }
+  tags: dotfiles

roles/base/tasks/users/software/packages_cleanup.yml

@@ -0,0 +1,11 @@
+- name: system setup | package cleanup | remove unneeded packages (debian, ubuntu, etc. )
+  tags: cleanup,packages,system,settings
+  package:
+    state: absent
+    name:
+      - cowsay
+      - exim4
+      - exim4-base
+      - exim4-config
+      - nano
+  when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]

roles/base/tasks/users/system_setup/clock.yml

@@ -0,0 +1,27 @@
+- name: system setup | clock | install systemd-timesyncd (ubuntu)
+  tags: ntp,system setup
+  package:
+    name: systemd-timesyncd
+    state: latest
+  when: ansible_distribution in ["Pop!_OS", "Ubuntu"]
+
+# Currently systemd-timesyncd for debian is available only in buster-backports
+- name: system setup | clock | install systemd-timesyncd (debian)
+  tags: ntp, system setup
+  apt:
+    name: systemd-timesyncd
+    default_release: buster-packports
+    state: latest
+  when: ansible_distribution == "Debian"
+
+- name: system setup | clock | start and enable systemd-timestampd
+  tags: ntp,system setup
+  service:
+    name: systemd-timesyncd
+    state: started
+    enabled: true
+
+- name: system setup | clock | set time zone
+  tags: tnp,timezone,system setup
+  timezone:
+    name: "Europe/Berlin"

roles/base/vars/Archlinux.yml

@@ -0,0 +1,20 @@
+amd_microcode_package: amd-ucode
+cron_package: cronie
+dconf_package: dconf
+dns_utils_package: bind-tools
+intel_microcode_package: intel-ucode
+lm_sensors_package: lm_sensors
+nfs_client_package: nfs-utils
+openssh_package: openssh
+openssh_service: sshd
+python_flake8_package: python-pyflakes
+python_package: python
+python_pip_package: python-pip
+python_psutil_package: python-psutil
+python_pyflakes_package: python-pyflakes
+python_virtualenv_package: python-virtualenv
+rename_package: perl-rename
+ruby_rake_package: ruby-rake
+sftp_path: /usr/lib/ssh/sftp-server
+sudo_group: wheel
+vim_package: gvim

roles/base/vars/Debian.yml

@@ -0,0 +1,21 @@
+amd_microcode_package: amd64-microcode
+cron_package: cron
+dconf_package: dconf-cli
+dns_utils_package: dnsutils
+intel_microcode_package: intel-microcode
+lm_sensors_package: lm-sensors
+nfs_client_package: nfs-common
+openssh_package: openssh-server
+openssh_service: ssh
+python_flake8_package: python3-flake8
+python_package: python3
+python_pip_package: python3-pip
+python_psutil_package: python-psutil
+python_pyflakes_package: python3-pyflakes
+python_virtualenv_package: python3-virtualenv
+rename_package: rename
+ruby_rake_package: rake
+sftp_path: /usr/lib/openssh/sftp-server
+sudo_group: sudo
+vim_package: vim-nox
+

roles/base/vars/Ubuntu.yml

@@ -0,0 +1,20 @@
+amd_microcode_package: amd64-microcode
+cron_package: cron
+dconf_package: dconf-cli
+dns_utils_package: dnsutils
+intel_microcode_package: intel-microcode
+lm_sensors_package: lm-sensors
+nfs_client_package: nfs-common
+openssh_package: openssh-server
+openssh_service: ssh
+python_flake8_package: python3-flake8
+python_package: python3
+python_pip_package: python3-pip
+python_psutil_package: python3-psutil
+python_pyflakes_package: python3-pyflakes
+python_virtualenv_package: python3-virtualenv
+rename_package: rename
+ruby_rake_package: rake
+sftp_path: /usr/lib/openssh/sftp-server
+sudo_group: sudo
+vim_package: vim-nox

roles/base/vars/main.yml

@@ -0,0 +1,2 @@
+rene_password:
+swappiness_value: 5